Undetectable firewall

ABSTRACT

An undetectable firewall for network protection has been developed. The invention includes a method of preventing unauthorized access to a computer system. The firewall receives a data packet and copies its contents exactly. Next, the firewall analyzes the data packet and determines if it is authorized to access the network. If the packet is authorized to access the network, it is sent on to its destination. If the packet is unauthorized to access the network, it is dropped by the firewall.

BACKGROUND OF INVENTION

1. Field of the Invention

The invention relates generally to computer security. More particularly,this invention relates to a computer security system that providesundetectable firewall protection.

2. Background Art

As society's dependence on computers increases, the importance ofsecurity for computers and their networks also increases. Threats suchas hackers can shut down or damage large computer networks and costsignificant amounts of money, resources, and time. Security measures toprevent such incidents are constantly evolving along with the nature andsophistication of the threat.

One technique to protect a computer network from external threats is byusing a “firewall”. A firewall is a combination of hardware and softwarethat is placed between a network and its exterior. FIG. 1 shows aschematic of a prior art network 10 with a firewall. The network 10includes a series of users 12 a–12 dthat are linked and controlledthrough a server 14. The device could also be a router or a switch forthe network. A firewall 16 is installed between the server 14 and thenetwork exterior 20. The server 14, the firewall 16, and the exterior 20are interconnected through a single line 18. The single line 18 preventsoutsiders from accessing the network except through the firewall 16. Thefirewall receives all data from the network exterior before it is sentto the network users. The data may be e-mail, encrypted data, internetqueries, or any other type of network traffic. The firewall sorts andanalyzes the data and determines whether it should have access to thenetwork. If the data is authorized, the firewall forwards the data on toits destination. If the data is unauthorized, the firewall denies accessto the network.

Data is normally transmitted in multiple bundles of information called“data packets” or “packets”. A message, query, etc. from the outsidenetwork is broken down into these packets in order to provide moreefficient transmission of the data. Once all packets of data arrive atthe destination, the packets are re-assembled. However, the packetscontain more information than just the transmitted data. FIG. 2 shows adiagram of a prior art data packet 30. The packet 30 includes threesegments: a header 32; a body 34; and a trailer 36. The body 34 is thesegment that contains the actual substance of the data.

The header 32 and the trailer 36 both contain various fields that arenecessary for the administrative control of the packet 30. The header 32segment includes: a flag 38 a; an address field 40; and a control field42. The trailer 36 segment includes: a sequence check field 44 and aflag 38 b. The first flag 38 a signifies the start of the packet 30. Asecond flag 38 b signifies the end of the packet 30. The sequence checkfield 44 provides a check to ensure the data of the packet was properlyreceived. The address field 40 includes the addresses of the source andthe destination of the data. The control field 42 contains variousinformation related to the administration of the packet 30 including a“time-to-live” field. The time-to-live field is an internal countdownmechanism that ensures that undeliverable or lost packets are deleted.The time-to-live field is given a certain value when the packet is firsttransmitted. As the packet passes through various servers, routers,switches, bridges, gateways, etc. that make up a network, thetime-to-live field is decremented once by each device it passes through.Once the time-to-live field reaches zero, the packet is deleted. Thismechanism prevents a lost or undeliverable packet from circulating onthe network in an endless loop.

FIG. 3 shows a flow chart 50 of a prior art network firewall protectionscheme. First, a packet is received at the firewall 52 from the networkexterior 20. The firewall then conducts a handshake protocol 54 afterreceipt of the packet. The operations of network components are governedby protocols. A protocol is simply an established set of rules orstandards that allow computers to connect with one another and exchangeinformation and data with as little error as possible. Protocols mayvary widely based different types of computer operating systems and onthe different types of communications that are being transmitted. Ahandshake protocol governs a series of signals acknowledging that thetransfer of data can take place between devices (“the handshake”).During the handshake, various changes are made to the packet by thefirewall. The address of the firewall is added to the address field toshow that the packet has left the firewall. Also, the time-to-live fieldis decremented by the firewall.

After completing the handshake 54, the packet is analyzed by thefirewall to determine whether or not the data is acceptable to forwardon to its destination in the network 56. The firewall analyzes the datathrough a technique called “pattern matching” that is well known in theart. Additionally, other techniques such as “protocol analysis” could beused as well. If the packet is authorized, it is forwarded on to thenetwork destination by the firewall 58. If the packet is unauthorized,it is denied access to the network 60 and a message such as “resourcedenied” or “resource restricted” is sent to the sender. The party whosent the data from the exterior network is able to monitor and detectthe presence of the firewall after the handshake protocol 62 and afteraccess has been denied 62 due to the changes in the packet at thehandshake 62. Once a hacker is able to detect the presence of afirewall, attempts can be made penetrate it and gain access to thenetwork. If a hacker gains knowledge of the presence of a firewall,probes can be made against it. Ultimately, the firewall may be breachedor bypassed and unauthorized access to the network can be gained by thehacker.

In addition to the contents of the data packet described in FIG. 2, adata packet will also contain an “ethernet frame field”. The ethernetframe field is used by an ethernet card which is a piece of hardwarewithin the firewall that manages access to the network. FIG. 4 shows aschematic 70 of a prior art data packet with an ethernet frame field.The contents of the data packet are similar to what was previouslydescribed in FIG. 2. The data packet includes three segments: a header72; a body 74; and a trailer 76. The header 72 segment includes: a flag78 a; an address field 80; and a control field 82. The trailer 76segment includes: a sequence check field 84 and a flag 78 b.Additionally, two segments of the ethernet frame field 86 a and 86 b areincluded immediately in front of the first flag 78 a and immediatelyfollowing the second flag 78 b respectively.

The ethernet frame field 86 a and 86 b is simply a protocol forprocessing the packet. Like the data packet, its contents are changedwhen it leaves the firewall. Specifically, the firewall adds itsspecific media access controller (“MAC”) address to frame field 86 a and86 b. The MAC address is a layer of the ISO/OSI (InternationalOrganization for Standardization/Open Systems Interconnection) referencemodel. The ISO/OSI model separates computer to computer communicationinto seven protocol layers. The ethernet card and the MAC are parts ofone of the lower layers of this model and they manage access to thephysical network.

One prior art solution is to make a firewall more difficult to detect (a“stealth firewall”). FIG. 5 shows a flow chart 90 of a prior art networkstealth firewall protection scheme. As shown previously in FIG. 3, apacket is first received at the firewall 92 from the network exterior20. However, a stealth firewall conducts a different type of handshakeprotocol 94. A stealth firewall does not decrement the time-to-livefield of the packet. Consequently, anyone monitoring the status of thepackets in the network exterior 20 will not be able to see the stealthfirewall due to a change in the value of the time-to-live field. Afterthe stealth handshake 94, the stealth firewall analyzes the packet 96 ina similar manner as previously described for reference number 56 inprior art FIG. 3. If the packet is authorized, it is forwarded on to thenetwork destination by the firewall 98. If the packet is not authorized,it is denied access to the network 100. However, the firewall does notrespond to the sender with any type of message indicating a denial ofaccess. Instead, the stealth firewall simply drops the packet 102. Thesender is prevented from detecting the stealth firewall by finding anyindication of its presence in a decremented time-to-live field or adenial of access message.

However, a stealth firewall may still be detected by the changes itmakes to the packet during its handshake protocol 94. Specifically, astealth firewall leaves its own MAC address in the packet as it conductsthe stealth handshake protocol 94. Once the presence of the stealthfirewall is detected through the MAC address, a hacker can then begin toprobe the firewall and attempt to find a way around it to gain access tothe network. In order to prevent attacks by hackers on a firewall, it isnecessary to make the firewall undetectable to parties outside thenetwork.

SUMMARY OF THE INVENTION

In some aspects, the present invention relates to a method of preventingunauthorized access to a computer system, comprising: receiving a datapacket at a firewall; copying the data packet at the firewall; analyzingthe data packet with the firewall to determine if the data packet isauthorized to access the computer system; sending an authorized datapacket to the computer system; and denying access of an unauthorizeddata packet to the computer system.

In other aspects, the present invention relates to a method ofpreventing unauthorized access to a computer system, comprising: step ofreceiving data; step of passively copying the data; step of analyzingthe data for authorization to access the computer system; and step ofallowing access to the computer system for authorized data; and step ofdenying access to the computer system for unauthorized data.

In other aspects, the present invention relates to a method of remotelymanaging a firewall, comprising: receiving a control data packet at thefirewall from a remote location; copying the control data packet at thefirewall; analyzing the control data packet to determine if the controldata packet is authorized to access the firewall; and allowing anauthorized control data packet to control the firewall.

In other aspects, the present invention relates to a method of remotelymanaging a firewall, comprising: step of receiving control data at thefirewall from a remote location; step of copying the control data; stepof analyzing the control data to determine if the control data isauthorized to access the firewall; and step of allowing authorizedcontrol data to access the firewall.

Other aspects and advantages of the invention will be apparent from thefollowing description and the appended claims.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 shows a schematic of a prior art network with a firewall.

FIG. 2 shows a schematic of a prior art data packet.

FIG. 3 shows a flow chart of a prior art network firewall protectionscheme.

FIG. 4 shows a schematic of a prior art data packet with an Ethernetframe.

FIG. 5 shows a flow chart of a prior art network stealth firewallprotection scheme.

FIG. 6 shows a flow chart of one embodiment of network firewallprotection in accordance with the present invention.

FIG. 7 shows a flow chart of an alternative embodiment of networkfirewall protection in accordance with the present invention.

FIG. 8 shows a firewall network with an external controller inaccordance with one embodiment of the present invention.

FIG. 9 shows a flow chart of one embodiment of external network controlof a firewall in accordance with the present invention.

DETAILED DESCRIPTION

An undetectable firewall for network protection has been developed. FIG.6 shows a flow chart 110 of one embodiment of network firewallprotection in accordance with the present invention. First, a packet isreceived at the firewall 112 from the network exterior 20. Theembodiment of the present invention conducts a “passive copying” 114 ofthe packet. After the packet is passively copied 114, the firewallanalyzes the packet to determine whether or not it is acceptable toforward on to its destination in the network 116. The firewall analyzesthe packet by the pattern matching technique, protocol analysis, or anyother suitable technique that is known in the art. If the packet isacceptable, it is passed on through to the network 118. If the packet isnot acceptable, access to the network is denied 120 and the packet isdropped 122 with no denial of access message being sent to the source ofthe packet. As a result, there is no detectable response to the senderof denied access from the firewall.

The passive copying 114 by the firewall of the packet is a low leveloperation that does not change the contents of the packet. No addressexists for the firewall. Consequently, no address from the firewall isadded to the packet, including the MAC address. Instead, the firewallallows the ethernet frame field along with the source address and otherinformation of the packet to stay the same as when it was received bythe firewall. The copied ethernet frame field is then used to transportthe data packet. Additionally, the time-to-live field is not decrementedby the firewall because the protocol of the operating system thatrequires decrementing is ignored. The entire contents of the packet,including the header with its address and control fields are exactly thesame as when the packet was received by the firewall. Consequently, anyparty outside the network will not be able to detect the presence of thefirewall by examining the contents of the packet or the ethernet framefield.

FIG. 7 shows a flow chart 130 of an alternative embodiment of networkfirewall protection in accordance with the present invention. As in FIG.6, a packet is received at the firewall 132 from the network exterior20. The embodiment of the present invention conducts a “passive copying”134 of the packet. This passive copying is the essentially the same asdescribed previously for FIG. 6. After the packet is passively copied134, the firewall analyzes the packet to determine whether or not it isacceptable to forward on to its destination in the network 136. Thefirewall analyzes the packet by the pattern matching technique, protocolanalysis, or any other suitable technique that is known in the art. Ifthe packet is acceptable, it is passed on through to the network 138. Ifthe packet is not acceptable, access to the network is denied 140 andthe packet is dropped 142 with no denial of access message being sent tothe source of the packet. As a result, there is no detectable responseto the sender of a denied from the firewall. Additionally, after thedenial of access 140 and dropping the packet 142, the attemptedintrusion into the network is logged 144. In alternative embodiments,the logging could be done before or simultaneous to dropping the packet142.

The logging of the attempted access offers several possible actionsavailable to network administrators. The logs of attempts ofunauthorized access could be forwarded on to the authorities for furtherinvestigation. Also, if the packets are part of a “denial of service”attack, the data could be routed back to the attacker. Typically, adenial of service attack involves a multitude of requests to the networkin such volume that it effectively shuts the network down.

In alternative embodiments, the firewall could be located in front ofvarious segments of the network instead of only at the connection to thenetwork exterior. This would provide protection not just from thenetwork exterior, but also from other parts of the network. It alsoprovides backup security should another firewall fail. The firewallcould also be used to protect other network components such as routersand switches as well as the end users themselves.

In addition to protecting against unauthorized intrusion, the presentinvention may also be used to remotely control and mange the firewall.FIG. 8 shows a firewall network with an external controller 150 inaccordance with one embodiment of the present invention. The network 150is similar to the prior art network previously described in FIG. 1. Thenetwork 150 includes a series of users 152 a–152 d that are linked andcontrolled through a server 154. The device could also be a router or aswitch for the network. A firewall 156 is installed between the server154 and the network exterior 20. The server 154, the firewall 156, andthe exterior 20 are interconnected through a single line 158. The singleline 158 prevents outsiders from accessing the network except throughthe firewall 156. In addition, an external controller 160 is shown inthe network exterior 20. The controller 160 is used to remotely managethe firewall by a user such as a system administrator.

The controller 160 contacts the firewall 156 through the data line fromthe network exterior. The controller uses a technique known as“spoofing” to establish contact with the controller 160. Spoofinginvolves sending a transmission that appears to be coming from anothersource in order to hide the identity of the sender. Typically, this isdone by embedding the address of the phony source in the data packet. Inthis embodiment of the invention, the controller 160 sends a commandpacket that is intended for the firewall 156 to some address destinationbehind the firewall. Inside the command packet is a password as well ascommand instructions to control the firewall 156. While a password isused in this embodiment, other embodiments could use other types ofidentification that are known in the art. Additionally, both the sourceaddress and the MAC address of the external controller 160 are spoofedto appear that they are coming from another source besides the externalcontroller 160. Once the command packet is received at the firewall 156,the firewall conducts its passive copying of the packet and it searchesfor the password. If the password is found, the command packet isallowed to access the firewall 156. After access is allowed, the commanddata packet from the controller 160 is dropped without a trace.

FIG. 9 shows a flow chart 170 of one embodiment of external networkcontrol of a firewall in accordance with the present invention. As inFIGS. 6 and 7, a packet is received at the firewall 172 from the networkexterior 20. The embodiment of the present invention conducts passivecopying 174 of the packet. This passive copying is the essentially thesame as described previously for FIGS. 6 and 7. After the packet ispassively copied 174, the firewall analyzes the packet to determinewhether or not it is acceptable to forward on to its destination in thenetwork 176. The firewall analyzes the packet by the pattern matchingtechnique, protocol analysis, or any other suitable technique that isknown in the art. If the packet is not acceptable, access to the networkis denied 178 and the packet is dropped 180 with no denial of accessmessage being sent to the source of the packet. As a result, there is nodetectable response to the sender of denied access from the firewall. Inother embodiments, after the denial of access 178 and dropping thepacket 180, the attempted intrusion into the network could be logged aspreviously described in FIG. 7. In alternative embodiments, the loggingcould be done before or simultaneous to dropping the packet 180.

If the packet is authorized to access the network, it is examined for apassword that indicates it is from the external controller 182. If nopassword is found, the packet is sent on to its network destination 184.If the password is found, the packet is allowed to access the firewall186 and its command instructions are implemented. Finally, the packet isdropped by the firewall 188. In alternative embodiments, the packetcould be examined for the password of the external controller 182 eitherbefore or simultaneously with the analysis of the data for properauthorization 176 to access the network.

This technique of managing a firewall provides security for severalreasons. First, the firewall leaves no trace of its presence in thecommand packet by passively copying its contents. Also, the externalcontroller leaves no trace of its origin by spoofing its address.Additionally, the command packet hides its true destination because itappears to be addressed to a destination behind the firewall. Finally,after the command packet accesses the firewall and its commandinstructions are received, it is dropped without a trace. Consequently,the firewall and its control mechanisms are hidden from any unauthorizedparties who may be monitoring or intercepting network traffic.

While the invention has been described with respect to a limited numberof embodiments, those skilled in the art, having benefit of thisdisclosure, will appreciate that other embodiments can be devised whichdo not depart from the scope of the invention as disclosed here.Accordingly, the scope of the invention should be limited only by theattached claims.

1. A method of preventing unauthorized access to a computer system,comprising: receiving a data packet at a firewall, where the data packetcomprises a frame field, a header, a body, and a trailer; passivelycopying the data packet at the firewall, where the passive copyingleaves the frame field, the header, the body, and the trailer of thedata packet unchanged so that there is no indication of the firewall inthe data packet; analyzing the passively copied data packet with thefirewall to determine if the data packet is authorized to access thecomputer system; sending an authorized data packet to the computersystem; and denying access of an unauthorized data packet to thecomputer system.
 2. The method of claim 1, further comprising: droppingthe unauthorized data packet.
 3. The method of claim 1, furthercomprising: logging the attempted access to the computer system of theunauthorized data packet.
 4. The method of claim 1, wherein the computersystem is a network.
 5. The method of claim 1, wherein the data packetis analyzed by a pattern matching system.
 6. A method of preventingunauthorized access to a computer system, comprising: step for receivingdata; step for passively copying the data, where the passive copyingleaves the data unchanged so that there is no indication of the firewallin the data packet; step for analyzing the passively copied data forauthorization to access the computer system; step for allowing access tothe computer system for authorized data; and step for denying access tothe computer system for unauthorized data.
 7. The method of claim 6,further comprising: step dropping unauthorized data.
 8. The method ofclaim 6, further comprising: step for logging an attempt to access thecomputer system by unauthorized data.
 9. A method of remotely managing afirewall, comprising: receiving a control data packet at the firewallfrom a remote location; passively copying the control data packet at thefirewall, where the passive copying leaves all content of the controldata packet unchanged so that there is no indication of the firewall inthe control data packet; analyzing the passively copied control datapacket to determine if the control data packet is authorized to accessthe firewall; and allowing an authorized control data packet to controlthe firewall.
 10. The method of claim 9, further comprising: droppingthe authorized control data packet.
 11. The method of claim 9, whereinthe control data packet is analyzed for a password.
 12. The method ofclaim 9, wherein the control data packet contains a false originationaddress.
 13. The method of claim 9, wherein the control data packetcontains a destination address that is protected by the firewall.
 14. Amethod of remotely managing a firewall, comprising: step for receivingcontrol data at the firewall from a remote location; step for passivelycopying the control data, where the passive copying leaves all contentof the control data unchanged so that there is no indication of thefirewall in the control data; step for analyzing the passively copiedcontrol data to determine if the control data is authorized to accessthe firewall; and step for allowing authorized control data to accessthe firewall.
 15. The method of claim 14, further comprising: step fordropping the authorized control data.